Affirm Data Processing Addendum
UPDATED AS OF: April 14, 2025
This Data Processing Addendum (“DPA”) is incorporated into the Merchant Agreement or Partnership Agreement (the “Agreement”) between the Affirm entity (“Affirm”) and Merchant or Partner which are Parties to that Agreement (“Merchant”). This DPA is effective on the Effective Date of the Agreement, unless this DPA is separately executed, in which case it is effective on the date of the last signature below. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA will control.
1. Definitions. The terms “Personal Data,” “Data Subject,” “Process,” and “Controller” as used in this DPA have the meanings given by Applicable Privacy Law or, absent any such meaning, given by the GDPR. As used in this DPA, “Personal Data” will have the meaning of “Personal Information” or “Nonpublic Personal Information,” each as used in Applicable Privacy Law. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
(a) “Applicable Privacy Law” means court orders, laws, regulations, codes, orders, rules and guidelines imposed by law, competent government authority, governing body or regulator in each country and jurisdiction governing data protection, information security and data privacy applicable to the Processing of Personal Data. For avoidance of doubt, Applicable Privacy Law includes applicable GLBA and Canadian law restrictions on reuse and redisclosure.
(b) “GLBA” means Title V of the Gramm Leach Bliley Act (15 U.S.C. 6801 et seq.) and the implementing privacy and security regulations issued pursuant to the Gramm Leach Bliley Act.
(c) “GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended from time to time, in the European Economic Area (“EEA”).
(d) “Industry Recognized Security Practices” means generally accepted industry practices, which may include but are not limited to, the International Organization for Standardization (ISO)/IEC 27001:2022 – Information Security Management Systems – Requirements and ISO/-IEC 27022:2022 – Code of Practice for International Security Management; the National Institute of Standards and Technology NIST Cybersecurity Framework; the Control Objectives for Information and related Technology (COBIT) standards; Association of International Certified Professional Accountants (AICPA) System and Organization Controls 2 (SOC 2); or other applicable industry standards for information security.
(e) “Restricted Country” means (i) where the GDPR applies, a country outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR (as defined below) and the Data Protection Act 2018 (“DPA 2018”) apply, countries that have not been specified by the Secretary of State to ensure an adequate level of protection of Personal Data under Section 17A of the DPA 2018.
(f) “Security Incident” means an actual loss, unauthorized access to, or unauthorized Processing of a Party’s Confidential Information on information systems owned, controlled, or subcontracted by the other Party, or any other confidentiality incident which requires disclosure in accordance with Applicable Privacy Law.
(g) “Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data to third countries; and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the DPA 2018 (“UK Addendum”), in each case, as amended or superseded from time to time.
(h) “UK GDPR” is as defined in Section 3(10) of the DPA 2018, as supplemented by section 205(4), as amended from time to time.
2. Role of the Parties. Subject to Applicable Privacy Law (including, but not limited to any consent or notice requirements), each Party is a separate and independent Controller of Personal Data disclosed or made available to it in connection with the Agreement.
3. General Obligations.
(a) Each Party will comply with Applicable Privacy Law and take all actions and implement all measures necessary to support the Processing of Personal Data as a separate and independent Controller under this Agreement. Each Party will reasonably cooperate with and assist the other Party with meeting the other Party’s obligations under Applicable Privacy Law and will promptly notify the other Party if it receives any complaint, notice, or communication that relates to the other Party's compliance with Applicable Privacy Law.
(b) Notwithstanding anything to the contrary in this DPA, neither Party will sell or make Personal Data available to the other Party in exchange for any monetary value or other consideration, and Merchant will not Process Personal Data in a manner that establishes credit eligibility or that gate keeps or steers consumers to or away from certain payment products.
4. Data Security.
(a) Each Party will establish, maintain and comply with physical, technical and administrative controls and an accurate, comprehensive, up-to-date data security program, policies, and data security measures consistent with Applicable Privacy Law and Industry Recognized Security Practices (and will at a minimum include the measures set forth in Appendix A) to protect against Security Incidents.
(b) In the event either Party suffers or learns of any Security Incident, the Party on whose systems the Security incident occurred (the “Impacted Party”) will: (i) promptly (but in no event later than 48 hours following confirmation of the Security Incident) notify the other Party in writing of such Security Incident and furnish the other Party with the details of such Security Incident; (ii) cooperate in any reasonable effort, action or proceeding to protect all Confidential Information subject to such Security Incident and to reasonably mitigate and/or remediate the impact of the Security Incident; (iii) promptly use commercially reasonable efforts to prevent a recurrence of any future Security Incident; and (iv), as applicable, come into compliance with Applicable Privacy Law. In the event of a Security Incident, the Parties will cooperate regarding any notifications which are required under Applicable Privacy Law and the other Party will have the right to audit or conduct (or cause a qualified, independent third party to audit or conduct) a security assessment for verification of the Impacted Party’s data security obligations as set forth in this DPA. Such security assessment will be at the other Party’s sole cost and election. All notices to Affirm under this Section 4 will be sent to infosec@affirm.com.
(c) Merchant will ensure that: (i) Merchant’s connectivity to Affirm’s information systems and all attempts at the same will be only through Affirm’s procedures, which can be obtained at https://docs.affirm.com/developers/docs; (ii) Merchant will not access, and will not permit unauthorized persons or entities to access, Affirm’s information systems without Affirm’s express written authorization, and any such actual or attempted access will be consistent with Affirm’s authorization; and (iii) Merchant will take appropriate measures to ensure that Merchant’s information systems which connect to Affirm’s information systems, and anything provided to Affirm, do not contain any computer code, programs, mechanisms, or programming devices designed to, or that would, enable the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of the Affirm’s services or information systems, and Merchant will immediately notify Affirm upon detection of any vulnerabilities thereto.
(d) To the extent a Party Processes Cardholder Data (as defined by the PCI Security Standards Council), it will comply with Payment Card Industry Data Security Standard (“PCI DSS”) requirements.
5. International Data Transfers. Each Party will only transfer Personal Data across international borders and between jurisdictions to the extent permitted by the Agreement and in accordance with Applicable Privacy Law. In the event of a conflict between this DPA and the SCCs, the provisions of the SCCs, to the extent applicable, will control.
(a) EEA Personal Data Transfer. Transfers of Personal Data from the EEA to a Restricted Country will be conducted in accordance with this DPA and SCCs, including, as applicable, the Controller-to-Controller SCCs (located at https://www.affirm.com/terms/controller-to-controller), which SCCs are incorporated herein by reference Appendix A hereto provides additional details as required by Annexes I and II of the SCCs.
(b) UK Personal Data Transfer. Transfers by either Party of Personal Data involving the UK, either in addition to the EEA or separately, to a Restricted Country will be conducted in accordance with this DPA and the SCCs, including, as applicable, the UK Addendum (located at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf), the terms of which are incorporated herein by reference. For purposes of the UK Addendum, the information required for the purposes of Part 1 (Tables) of the UK Addendum will be populated with the relevant information set out in this DPA (see Appendix B).
6. Affirm Contact/Representative. Please contact privacylegal@affirm.com regarding any questions or issues related to this DPA.
APPENDIX A
1. The following chart includes the information required by Annex I of the SCCs.
Data exporter(s) | Name: Merchant Address: As provided in the Order Form or as otherwise provided by Merchant Contact person’s name, position and contact details: As provided by Merchant Activities relevant to the data transferred under these SCCs: Providing goods and services upon request to customers Role (controller/processor): Controller Name: Affirm Address: As provided in the Order Form or as otherwise provided by Affirm Contact person’s name, position and contact details: Privacy@affirm.com Activities relevant to the data transferred under these SCCs: Providing services upon request to customers Role (controller/processor): Controller Data importer(s) |
Data importer(s) | Name: Affirm Address: As provided in the Order Form or as otherwise provided by Affirm Contact person’s name, position and contact details: Privacy@affirm.com Activities relevant to the data transferred under these SCCs: Providing services upon request to customers Role (controller/processor): Controller Name: Merchant Address: As provided in the Order Form or as otherwise provided by Merchant Contact person’s name, position and contact details: As provided by Merchant Activities relevant to the data transferred under these SCCs: Providing goods and services upon request to customers Role (controller/processor): Controller |
Categories of Data Subjects | Customers (individuals acting in a personal or household capacity); Representatives |
Categories of Personal Data | Personal identification data; transaction information |
Special Category Personal Data (if applicable) | None |
Frequency of the transfer | A continuous basis |
Nature of the Processing | The Data Importer will Process the Personal Data as described in the Agreement for the duration and scope set forth in the Agreement. |
Purposes of Data Transfer and Further Processing | Data Importer’s purposes of Processing are to facilitate its provision of products or services to joint customers of Data Exporter and Data Importer and as otherwise set forth in the Agreement. |
Period for which the Personal Data will be Retained | Subject to Applicable Privacy Law, Personal Data will be retained in accordance with the Agreement. |
For Transfers to (Sub-) Processors, Subject Matter, Nature and Duration of the Processing | The subject matter and nature of the Processing are described in the Agreement. Subject to Applicable Privacy Law, the data retention and deletion provisions of the Agreement, the duration of the Processing is the duration of the Agreement (including any survival period). |
Competent supervisory authority/ies in accordance with Clause 13 | For transfers from the EEA, Poland at Urzad Ochrony Danych Osobowych (The Office for Personal Data Protection); and For transfers from the UK, the Information Commissioner's Office. |
2. The following chart includes the information required by Annex II of the SCCs.
Contractual | Data Importer will sign appropriate data transfer agreements in accordance with Applicable Privacy Law. |
Security of Transmission | Personal Data is only transferred in an encrypted state using industry-standard, non-deprecated algorithms and protocols. |
Organizational Safeguards | - Documented security policies and procedures are in place and are made available to all employees. - Employees are required to complete annual security training. - Regular audits of organizational and technical protection measures are conducted. - Procedures and personnel are in place for identifying, responding to, and mitigating the impact of, security risks and incidents. - Roles and responsibilities are defined with regard to data, network, and systems access. |
Technical Safeguards | - Disk encryption and anti-malware software are required on all company-issued equipment. - Controls are in place that actively monitor the system and its peripheral systems for intrusions and vulnerabilities. - Centralized logging is maintained for security-relevant events on systems. - Data stored within the network in a secure subnet is not accessible by the outside network without proper identity and access management, including multi-factor authentication. - Personal Data is encrypted at rest and in transit with industry-standard, non-deprecated algorithms and protocols. - User access roles and permissions are defined based on job function, and access provisioning and deprovisioning are conducted in an automated fashion. - System changes are introduced and change approvals automatically enforced according to defined procedures. |
APPENDIX B
1. The following chart includes the information required by Part 1: Tables of the UK Addendum.
Table 1: Parties | |
Parties' details | As set out in APPENDIX A |
Key Contacts | As set out in APPENDIX A |
Table 2: Selected SCCs, Modules and Selected Clauses | |
Addendum EU SCCs | The version of the EU SCCs that are incorporated into this DPA by way of reference (per clause 5(a)(i)), is the version to which this UK Addendum is appended. |
Table 3: Appendix Information “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: | |
Annex 1A: List of Parties: | As set out in Annex I of Appendix 1. |
Annex 1B: Description of Transfer: | As set out in Annex I of Appendix 1. |
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: | As set out in Annex I of Appendix 1. |
Annex III: List of sub-processors (Modules 2 and 3 only): | N/A |
Table 4: Ending this Addendum when the Approved Addendum Changes | Neither Party may end the UK Addendum, as per Section 19 of the UK Addendum. |
